[00:00.000 --> 00:07.200]  Good morning, DEF CON biohacking village. It's an honor to be here. If you're confused where you
[00:07.200 --> 00:13.740]  are, you're somewhere in cyberspace at your home. Following the DEF CON tradition, you may be
[00:13.740 --> 00:20.540]  somewhere between sober and completely intoxicated. We recommend aggressive rehydration and, you know,
[00:20.540 --> 00:25.140]  take a shower. That'll really help out. But before you do so, we appreciate you coming to our talk
[00:25.140 --> 00:31.760]  here. The talk is entitled Lessons Learned from a Pale Horse. What COVID-19 can teach us about
[00:31.760 --> 00:37.600]  healthcare cybersecurity. How are you, buddy? We haven't seen each other in person for a while.
[00:38.020 --> 00:41.600]  I feel like I haven't seen anybody in person for a long time.
[00:41.600 --> 00:46.920]  Was it November when we last saw each other, which for us is like a decade?
[00:47.220 --> 00:52.880]  Yeah, too long. I feel like I'm really missing my hacker family. I've just been talking with
[00:52.880 --> 00:59.280]  my wife about how much I miss going to DEF CON, seeing people in person, walking around. And then
[00:59.280 --> 01:04.420]  also, it's kind of depressing to think about it, but it's also a kind of a cool opportunity. Here
[01:04.420 --> 01:09.580]  we are at the Biohacking Village, but invited to speak here on a cool topic like this. And people
[01:09.580 --> 01:13.440]  all around the globe are going to be able to watch this. So I think we should go ahead and kick it
[01:13.440 --> 01:18.000]  off. What do you think, Jeff? I totally agree. But first, I think it's just so important to shout out
[01:18.000 --> 01:23.740]  what an amazing accomplishment and achievement it is that villages like the Biohacking Village
[01:23.740 --> 01:30.560]  and others, and even DEF CON itself, have been pulled into this safe mode virtual experience.
[01:30.560 --> 01:35.960]  As people who have done events ourselves, I can't even imagine the amount of work it took to do this,
[01:35.960 --> 01:40.260]  knowing that our friends at the Biohacking Village, and I'm sure others, have been working
[01:40.860 --> 01:45.780]  since last DEF CON on doing an amazing physical event, and then all of a sudden having to
[01:45.780 --> 01:50.360]  reverse course and change that. So I just want to give them a huge shout out and major props
[01:50.360 --> 01:58.500]  for what is a job very well done. But yeah, golf clubs, sure, absolutely, and more and more.
[01:59.760 --> 02:05.560]  Let's kind of get into it, man. I think when we originally came up with this, so first of all,
[02:05.560 --> 02:11.060]  I guess for those of us who we haven't had the pleasure of meeting, my name is Replicant Jeff.
[02:11.860 --> 02:16.320]  I am an anesthesiologist and security researcher hacker.
[02:17.400 --> 02:23.020]  My name is Christian Nemeth. People call me Kawati. That's my handle. I'm an emergency
[02:23.020 --> 02:28.390]  medicine physician and assistant professor over at UC San Diego.
[02:29.400 --> 02:34.140]  So I mean, we've both had the privilege of taking care of patients during this
[02:35.300 --> 02:41.040]  global pandemic. We have, you know, been in the critical care units and the emergency room,
[02:41.540 --> 02:46.140]  treating patients with COVID-19. And it's been kind of a surreal experience for us because
[02:46.660 --> 02:52.260]  before all of this, we were and still obviously are, you know, advocates for security and health
[02:52.260 --> 02:58.640]  care, being security researchers and kind of having this thesis statement that healthcare security is
[02:58.640 --> 03:04.340]  more than just privacy and patient records and things like that. There are, you know, vulnerabilities
[03:04.340 --> 03:08.840]  and we've gone over this extensively at other DEF CONs and other gatherings where we're able to
[03:08.840 --> 03:13.780]  talk about these things, you know, medical devices and healthcare infrastructure are as vulnerable
[03:13.780 --> 03:19.880]  as any other area of connected life. And we know that those vulnerabilities have the potential to
[03:19.880 --> 03:25.980]  potentially affect patients, both in how we care for them and their long term outcomes. So we've
[03:25.980 --> 03:32.220]  kind of been pushing this thesis for a while. And then all of a sudden, we found ourselves kind of
[03:32.220 --> 03:36.940]  on the front lines, knee deep in COVID patients during this pandemic. And that's kind of changed,
[03:36.940 --> 03:42.140]  I think, a little bit of our perspective about ways in which we as a healthcare system can prepare
[03:42.140 --> 03:48.060]  for not just events like this, but also security related concerns as well. So I think what we
[03:48.060 --> 03:53.780]  wanted to do is kind of see were there any insights that we obtained from our clinical
[03:53.780 --> 03:57.780]  practice and kind of how we think about disaster medicine, which we'll get into and
[03:59.680 --> 04:07.180]  utilization of resources and readiness and preparedness in a medical type of emergency.
[04:07.180 --> 04:12.940]  Can we apply some of those thoughts and lessons to the security realm? Sound like a plan?
[04:13.120 --> 04:17.140]  Sounds like a plan. We're gonna go ahead and get kicked off. Many of you out there are like,
[04:17.140 --> 04:22.560]  what is disaster medicine? It doesn't even make any sense. Like I'm familiar with cardiology,
[04:22.560 --> 04:27.180]  like they take care of the heart. I'm familiar with gastroenterology. You know, they give me
[04:27.300 --> 04:33.640]  a Valium, have me show up next morning and then scope my intestines. Well, many of you out there
[04:33.640 --> 04:39.140]  might be wondering, what is disaster medicine? And so under medicine, generally a medicine,
[04:39.140 --> 04:43.660]  you know, surgery, the practice of taking care of someone's health and treating disease,
[04:43.660 --> 04:50.220]  there are all sorts of disciplines. I practice emergency medicine. Jeff practices pediatrics
[04:50.220 --> 04:58.220]  and anesthesia. And there's so much to know in modern medicine, new treatments, new diseases that
[04:58.220 --> 05:03.500]  we, or sorry, diseases that we learn more about. And as a consequence, it's impossible for a doctor
[05:03.500 --> 05:08.860]  to know all of it. And it would actually probably be very unsafe for a doctor to practice, you know,
[05:08.860 --> 05:14.760]  every form of medicine. So we specialize. Under the house of medicine with all these different
[05:14.760 --> 05:22.440]  specialties, there's a subspecialty, a niche, a further niche, if you will, that discusses and
[05:22.440 --> 05:29.140]  studies and practices disaster medicine. Disaster medicine is how do you take care of people,
[05:29.140 --> 05:36.320]  not when you're in a fancy hospital where you have two MRI machines, an entire trauma team,
[05:36.320 --> 05:40.900]  you know, dozens and dozens of doctors on a particular service, and hundreds of nurses.
[05:40.900 --> 05:48.580]  Instead, how do you take care of thousands of patients during an earthquake or during a
[05:48.580 --> 05:53.660]  hurricane? How do you take care of patients as they're swelling through the front doors of your
[05:53.660 --> 05:58.680]  hospital during a pandemic? And you can see that there's some clear disaster medicine being
[05:58.680 --> 06:04.280]  practiced today all over the globe in response to the global pandemic. And this is a picture
[06:04.400 --> 06:10.160]  of a disaster in the United States and a particular specialized team that the government
[06:10.160 --> 06:17.220]  can call upon to remotely, sorry, to go to a particular location and practice disaster medicine.
[06:17.220 --> 06:21.540]  These are called DMAT teams or disaster medicine assistance teams. These are comprised of
[06:21.540 --> 06:26.940]  multidisciplinary teams, nurses, technicians, doctors, they'll go to a place in response to
[06:27.080 --> 06:31.600]  a disaster, they'll organize how they take care of all those patients, they'll deploy electronic
[06:31.600 --> 06:37.100]  health systems, and then they'll be able to help treat all of those people, perhaps in a high
[06:37.100 --> 06:42.300]  school gym, for instance, instead of a hospital. So these are called DMAT teams, they practice
[06:42.300 --> 06:47.880]  disaster medicine, and they study it. You know, lessons learned from Hurricane Maria, for example,
[06:47.880 --> 06:52.380]  well, we study that, do academic papers and publish them so that the next disaster that
[06:52.380 --> 06:59.760]  rolls around, we're better prepared to respond to that. Well, Jeff and I are thoroughly convinced
[06:59.760 --> 07:05.100]  that there should be a subsection of disaster medicine called cyber disaster medicine.
[07:05.100 --> 07:13.320]  And we picked a picture of the DEFCON CTF for a couple different reasons. One, because a lot of
[07:13.320 --> 07:19.260]  what cyber disaster medicine is going to be is merging the two disciplines of clinical practice,
[07:19.260 --> 07:26.100]  taking care of patients' health, treating disease, while also addressing technological problems,
[07:26.100 --> 07:31.880]  systems of connected medical technology that are malfunctioning or perhaps being attacked.
[07:31.880 --> 07:36.220]  That's really our premise of what Jeff had mentioned. Our argument, our thesis is that
[07:36.220 --> 07:41.660]  if you attack a hospital, because it's so connected, and so interdependent on vulnerable
[07:41.660 --> 07:49.180]  technology, if you attack that, it won't be available for patient care, or the integrity
[07:49.180 --> 07:54.540]  of the data flowing from these systems will be changed and unreliable, and as a consequence,
[07:54.540 --> 07:59.920]  patients' health will be affected. So we think there needs to be essentially a cyber DMAT team,
[07:59.920 --> 08:06.420]  so where we take doctors and hackers and nurses, put them in a team, and if some hospital in
[08:06.420 --> 08:13.220]  Nebraska or some hospital in Idaho gets hit by a ransomware attack, for example, and they are
[08:13.220 --> 08:20.100]  unable to take care of patients, they're going to need both the medical expertise, the person power
[08:20.100 --> 08:24.940]  to respond to taking care of the strokes and heart attacks that are happening, while also
[08:24.940 --> 08:31.380]  simultaneously working with the technical teams to mitigate the issue and fix those
[08:31.380 --> 08:38.060]  damages to the technological infrastructure to restore care. So we think convincingly,
[08:38.060 --> 08:41.700]  though, it's going to be more and more of a need of these hybrid teams, where we have both hackers
[08:41.700 --> 08:47.660]  and doctors responding to attacks on healthcare infrastructure. We call that cyber disaster
[08:47.660 --> 08:53.620]  medicine. And Claudia, just two points that I want to make real quick about the concept of
[08:53.620 --> 08:58.140]  disaster medicine in general is that it assumes that you're going to be operating from a standpoint
[08:58.140 --> 09:07.460]  of very limited and constrained resources. And it also implies in some sense that the outcomes you
[09:07.460 --> 09:12.520]  are able to achieve are going to be less than the ideal outcomes that you would have in a
[09:12.520 --> 09:18.120]  non-disaster situation, and that there is some sense of needing to triage priorities accordingly.
[09:19.120 --> 09:24.700]  Absolutely. And one of the kind of foundational tenets of disaster medicine is the concept you
[09:24.700 --> 09:32.860]  mentioned of triage. If you have 10 patients in front of you, one is dead or just nearly died,
[09:32.860 --> 09:40.420]  three are dying, and three are okay, and some are in between, you need a system to be able to respond
[09:41.120 --> 09:46.860]  in the right order to take care of the patients that you can best help with. So, you know,
[09:46.860 --> 09:52.460]  controversial part of this is, you know, don't treat the patients that are about to die. Those
[09:52.460 --> 10:00.100]  patients need advanced airways. They need, you know, five, six people to major surgery. Yeah,
[10:00.100 --> 10:03.960]  they might need major surgery. They might need, you know, a lot of broad spectrum antibiotics.
[10:03.960 --> 10:09.300]  They need a lot of things that you might not have. If you spend your time focusing on the people who
[10:09.300 --> 10:14.660]  are dying, doing CPR, those types of things, then those three people that might benefit from your
[10:14.660 --> 10:19.660]  care that don't need that many resources but still could have an adverse outcome if you don't
[10:19.660 --> 10:24.280]  pay attention to them immediately, those are affected. So, it's this concept of can you make
[10:24.440 --> 10:32.760]  a system, can you make a philosophy, if you will, a protocol to be able to respond and make decisions
[10:32.760 --> 10:38.340]  on who you treat with the limited resources you have and in what order. So, I think these are
[10:38.340 --> 10:41.540]  foundational things. I mean, if you don't have a choice, you don't have a choice. If you're
[10:41.540 --> 10:47.020]  responding after an earthquake, you can't treat everyone at the same time equally. You have to
[10:47.020 --> 10:53.040]  pick and choose. I think in some sense, the idea of triage in a healthcare delivery organization
[10:53.040 --> 10:58.020]  from a security standpoint has been one of the trickier things in normal times, right? Because
[10:58.020 --> 11:02.620]  we almost have like a paralysis of indecision. People like us talk about all the ways in which
[11:02.620 --> 11:07.260]  we could improve foundational and infrastructure security of a healthcare delivery organization.
[11:07.260 --> 11:11.100]  We talk about medical devices and things like that. And sometimes it can seem like there are
[11:11.100 --> 11:15.240]  too many things to fix, whereas this triage mentality helps us kind of focus our priorities
[11:15.900 --> 11:19.960]  and really kind of hone in on the things that may be actionable with the biggest yield and
[11:19.960 --> 11:27.440]  impact for resources invested. Yeah, I completely agree. We love security. You know, we drink the
[11:27.440 --> 11:34.200]  Kool-Aid. We are admittedly believe it is a big risk to patient safety. But this is just one of
[11:34.200 --> 11:41.820]  dozens of issues, really serious issues facing healthcare across the globe. Security is just
[11:41.820 --> 11:46.500]  one of them. For instance, you know, the disproportionate allocation of resources
[11:46.500 --> 11:51.540]  for disadvantaged populations, right? Like population health is a big deal, social determinants
[11:51.540 --> 11:56.280]  of health. Security is just one of these things. And I agree, there's this triage element of it.
[11:56.280 --> 12:01.280]  COVID's blown all that up, right? So we have a global pandemic. It is sucking every single
[12:01.280 --> 12:07.740]  resource it possibly can out of the healthcare system. And things like security, undoubtedly,
[12:07.740 --> 12:13.460]  in the triage, if you will, are going lower. I understand that. That's very important. You have
[12:13.460 --> 12:19.440]  to take care of those patients. But what I fear is that we are putting far more attention to
[12:20.000 --> 12:24.100]  treating the immediate issues of COVID, not realizing that we are really opening ourselves
[12:24.100 --> 12:30.040]  up to the vulnerabilities, and we're not fixing them. And as a consequence, we could have a
[12:30.040 --> 12:36.520]  one-two punch. We could have COVID and then a ransomware attack on top of it. Our ability to
[12:36.520 --> 12:42.160]  take care of patients in some of the hospitals across this country is already so hard. If we
[12:42.160 --> 12:47.000]  had to deal with a ransomware attack on top of it, my ability to take care of COVID patients
[12:47.000 --> 12:51.760]  in the emergency department is going to be hindered. That's going to hurt my patients. And so I think
[12:51.760 --> 12:57.260]  foundational security issues are still something to pay attention to during this pandemic.
[12:57.910 --> 13:04.540]  I mean, that's another tenet of disaster medicine, right? You need to fortify your infrastructure
[13:04.540 --> 13:10.820]  during a particular crisis with the anticipation that subsequent issues or events could
[13:11.330 --> 13:20.500]  even further hamper your ability to get the best outcomes in your emergency situation.
[13:20.500 --> 13:26.940]  So let's move on to some of the points that we came up with just in conversation earlier
[13:26.940 --> 13:33.120]  about some of the things that we as clinicians on the ICU core in the emergency room have
[13:33.120 --> 13:38.780]  drawn as parallels to some of the issues that we as security researchers wearing a different hat
[13:39.480 --> 13:45.400]  were worried about and kind of thinking about pre-COVID and see if there are some areas where
[13:45.400 --> 13:51.320]  we can draw parallels and maybe even lessons from that. So I want to talk a little bit about
[13:51.320 --> 13:57.580]  kind of just basic data gathering, right? So this idea of having the information you need
[13:57.580 --> 14:01.260]  in order to make actionable decisions. From the same point of the pandemic,
[14:01.260 --> 14:08.360]  I remember I was out of the country back in February on a medical surgical mission trip,
[14:08.360 --> 14:14.880]  and we at that point just started receiving information. I'm in Sacramento. I work at UC Davis
[14:15.500 --> 14:21.060]  Medical Center, and we were actually the first hospital in the country to care for a patient
[14:21.980 --> 14:27.200]  who was diagnosed with coronavirus, and they weren't able to identify the source of spread,
[14:27.200 --> 14:35.240]  so the first example of what we call the community-acquired case. And that kind of set
[14:35.240 --> 14:41.740]  off this initial first couple of weeks to early months of uncertainty where we really didn't have
[14:41.840 --> 14:46.700]  a good idea about what the epidemiology looked like, right? We knew that there were reports
[14:46.700 --> 14:51.480]  earlier in December about where it had originated from a global standpoint. We
[14:51.480 --> 14:55.840]  knew that we were starting to see cases in other parts of the world, particularly Europe,
[14:55.840 --> 15:01.920]  but we really didn't have a sense of what the overall disease burden was in the U.S. and our
[15:01.920 --> 15:06.740]  communities, and we thought that we were still at an earlier enough phase that we could do
[15:06.740 --> 15:14.100]  individual kind of contract tracing and isolation, kind of this containment model as opposed to the
[15:14.100 --> 15:21.280]  mitigation that we're now in. So I think there were a lot of factors that played into that,
[15:21.280 --> 15:25.820]  obviously, and we don't need to necessarily get into that as much. Some of the issues with
[15:25.820 --> 15:31.620]  cross-cultural communications between countries, some of the mechanisms that we had in place from
[15:31.740 --> 15:37.220]  a federal standpoint that were either kind of like mothballed or not rolled out quite as
[15:37.220 --> 15:45.000]  effectively, but really had a surveillance issue in the beginning period of this crisis. And so
[15:45.520 --> 15:51.100]  do you feel like in healthcare there's a similar almost like fog of war when it comes to security,
[15:51.100 --> 15:55.040]  when it comes to understanding the threats faced by individual organizations, and kind of how
[15:55.040 --> 16:00.040]  robust are we with respect to being able to communicate and share intelligence from that
[16:00.040 --> 16:06.440]  standpoint? I think in some regards we've made like huge strides, right? So things like organizations
[16:06.440 --> 16:14.440]  such as the Help ISAC allow partners to pretty quickly communicate some security issues. So
[16:14.440 --> 16:18.880]  for those of you listening or watching this video, if you're a part of that, you know,
[16:18.880 --> 16:23.300]  you're going to get multiple emails a day from some of these threat intelligence sharing
[16:23.300 --> 16:29.160]  organizations saying, oh, this is going on, pay attention to this. And sometimes the conversations
[16:29.160 --> 16:32.980]  even get to the point of, well, I built some tools, or these were particular rules I wrote,
[16:32.980 --> 16:39.340]  this is how I'm mitigating this particular attack. Those types of things do happen.
[16:39.420 --> 16:45.700]  But generally speaking, we are not, when I say we, healthcare security is not anywhere
[16:45.700 --> 16:50.900]  close to where it should be. Just because these organizations exist don't mean that
[16:50.900 --> 16:56.380]  many hospitals are taking advantage of them. Because of one of the primary things that we
[16:56.380 --> 17:02.460]  want to bring just back to everyone's mind is that there are not a lot of people that
[17:02.460 --> 17:07.240]  work, not a lot of security people that work for healthcare. I mean, there's a dearth of
[17:07.240 --> 17:12.160]  people and resources around insecurity around healthcare. So even if you do have robust
[17:12.160 --> 17:17.940]  communication channels, which I don't think we have, but let's say we do, you need people to
[17:17.940 --> 17:24.160]  receive that information, digest it, and act upon it. And so at the heart of this issue of COVID,
[17:24.160 --> 17:30.020]  we had very poor surveillance at the beginning. I think we have had a chronic issue, a chronic
[17:30.880 --> 17:36.440]  lack of appropriate surveillance of healthcare security. There are a couple of barriers,
[17:36.440 --> 17:42.620]  I think, to that. There's HIPAA. Now I'm going to go ahead and say, of course, I think I can speak
[17:42.620 --> 17:47.100]  for Jeff. We're big supporters of HIPAA. We think the protection of patient information is really,
[17:47.100 --> 17:52.920]  really important. We are hackers, so we care about our data and it being secure. We care about our
[17:54.120 --> 17:59.980]  But HIPAA, or if those of you who aren't up there, that piece of legislation that essentially
[18:01.020 --> 18:05.980]  penalizes people who breach protected health information, leak it, lose it, etc.
[18:07.020 --> 18:12.760]  It's been used as an example of why you can't share information. I can't talk about a breach
[18:12.760 --> 18:16.600]  when we lost a laptop, or I can't talk about a particular vulnerability, a piece of malware that
[18:16.600 --> 18:24.220]  hit because it might be a HIPAA concern. And we need to make sure HIPAA comes first, as opposed to
[18:24.220 --> 18:28.800]  information sharing and protecting the hospital down the street from getting hit with the exact
[18:28.800 --> 18:34.420]  same thing that I did. That should be the priority and it's not. There's liability concerns. So
[18:34.420 --> 18:40.260]  there's the thought of, if there is a breach of a hospital or a hospital is under attack,
[18:40.260 --> 18:45.260]  what will the hospital be liable for? If, for instance, the vulnerability that was exploited
[18:45.260 --> 18:52.480]  had a patch six months ago, and because health care entities deal a lot with other types of
[18:52.480 --> 18:58.880]  legal issues and security is not typically one of them, their legal teams tend to shy away from
[18:58.880 --> 19:07.600]  disclosing information, sharing information in a timely manner. There are always branding concerns.
[19:07.600 --> 19:15.240]  So people don't want to go get care at hospitals that have had breaches. Why? Because there are
[19:15.240 --> 19:19.320]  afraid their information is going to get breached or they're afraid while they're there that they're
[19:19.320 --> 19:23.540]  going to get hacked and something bad will happen to them. So health care institutions generally are
[19:23.540 --> 19:31.140]  adverse to sharing information because of branding concerns and market share competitions,
[19:31.140 --> 19:36.220]  which is some fierce, fierce competition in health care. I was going to say there's also an
[19:36.220 --> 19:41.760]  incredibly complex hierarchy, right? Even within a single health care delivery organization with
[19:41.760 --> 19:49.300]  respect to the number of people that are involved in some of those branding issues that you talked
[19:49.300 --> 19:53.940]  about, some of the legal and liability issues. And it's very hard to centralize and coordinate
[19:53.940 --> 19:59.060]  decisions with respect to security sometimes because they affect so many different aspects of
[19:59.340 --> 20:05.200]  a hospital's function. And we kind of saw something similar in the overall, I would say, government
[20:05.200 --> 20:14.080]  response to this current crisis is that you just have a lot of different levels of leadership,
[20:14.080 --> 20:19.440]  levels of decision-making, levels of stakeholders from a federal, state, and local level. And
[20:19.440 --> 20:24.240]  sometimes those wires can get crossed and sometimes there isn't the best communication
[20:24.240 --> 20:29.000]  with the degree to which their spheres of responsibilities overlap. So sometimes I think
[20:29.000 --> 20:33.680]  we make mutual assumptions that somebody else is covering a certain problem, whether it's things
[20:33.680 --> 20:39.400]  like PPE or bed capacity or things like that. We sometimes say, well, don't worry
[20:39.400 --> 20:43.400]  about the number of ICU beds we have because the federal government will send this hospital ship or
[20:43.400 --> 20:47.720]  we're expecting a shipment of PPE from the state. And sometimes I think that
[20:48.880 --> 20:54.160]  degree of organizational complexity makes it really, really difficult to make quick, streamlined
[20:54.160 --> 20:58.280]  decisions. And sometimes that can also affect the composition of the teams that you're working with,
[20:58.280 --> 21:03.120]  right? So if you have a system that is not quite as efficient or as effective, you can get pretty
[21:03.120 --> 21:07.440]  high turnover. I think we've seen that before in hospital security teams, right? There's this
[21:07.980 --> 21:11.620]  additional level of complexity that comes with working within healthcare that people
[21:11.620 --> 21:14.900]  from the outside aren't always accustomed to. And sometimes that can be very frustrating
[21:14.900 --> 21:18.680]  to the security professional working in healthcare for the first time. And I think
[21:18.680 --> 21:23.700]  we've both seen instances of pretty significant burnout and turnover in that sense, simply from
[21:23.700 --> 21:27.680]  the complexity of the overall organizational structure.
[21:28.640 --> 21:33.620]  Completely agree. You know, hackers want to make things better for the most part. You know,
[21:33.620 --> 21:39.500]  we could talk about malicious adversaries, etc. But that aside, hackers, security folks,
[21:39.500 --> 21:43.240]  they're trying to make things better. They're trying to make things more secure.
[21:43.240 --> 21:47.960]  And when they go work for a healthcare organization, that's a great opportunity to do some,
[21:47.960 --> 21:53.980]  to take your knowledge and your skills and put it towards helping people. You might not be at
[21:53.980 --> 21:58.420]  bedside pushing a medication and an IV, but if you're supporting the hospital's infrastructure
[21:58.420 --> 22:03.660]  that made that medication administration possible and safe and secure, you're really,
[22:03.660 --> 22:08.400]  really doing something good. Just like you mentioned, we've heard horror story after
[22:08.400 --> 22:16.620]  horror story about talented security professionals, talented hackers going and working at hospitals,
[22:16.620 --> 22:22.260]  taking a pay cut, and then finding concerning things, bringing them to the attention of their
[22:22.260 --> 22:28.680]  leadership, and at the end of the day saying, we can't fix that issue because of, insert some
[22:29.540 --> 22:36.180]  reason, the cardiologist said no, they want to use that vulnerable device because it's their
[22:36.180 --> 22:42.960]  favorite, or we don't have the budget to do that, we need to buy a new MRI machine, etc., etc. So it
[22:42.960 --> 22:49.500]  can be demoralizing to work for a healthcare organization in a security capacity and feel
[22:49.500 --> 22:54.960]  like you can't really change things. And a lot of that has to do with the bureaucratic complexities,
[22:54.960 --> 23:00.040]  you know, COVID, there are so many different agencies and state governments, etc., it's just
[23:00.040 --> 23:07.040]  turned into this bureaucratic nightmare. Even in the best of times, a hospital is still a
[23:07.040 --> 23:13.340]  bureaucratic nightmare with so many different layers of administration and clinical expertise
[23:13.340 --> 23:18.840]  that at the end of the day, the bureaucracy can cause rapid turnover of our security
[23:18.840 --> 23:26.180]  professionals. And, you know, we need them there. The 2017 Health and Human Services Task Force
[23:26.180 --> 23:32.900]  report, commissioned by Congress, came back and said they thought a minority of hospitals in the
[23:32.900 --> 23:39.160]  United States have even a single full-time security professional on staff, you know, but yet
[23:39.160 --> 23:44.540]  we still march forward connecting more systems together, increasing our attack
[23:44.540 --> 23:51.240]  surfaces, etc., without the commensurate investment in security personnel. As a consequence of that,
[23:51.240 --> 23:55.680]  we're putting ourselves in an even worse situation where we are more vulnerable, we have less people
[23:55.680 --> 24:01.180]  to respond to, and the bureaucracy is getting even more complex. It's an impossible proposition
[24:01.180 --> 24:03.860]  to face. That problem of turnover,
[24:06.640 --> 24:11.120]  it really highlights how important institutional memory is, right? And I think that was something
[24:11.120 --> 24:15.180]  that we saw from the standpoint of pandemic response, too, is that there were structures
[24:15.180 --> 24:19.220]  in place, there were playbooks in place. Some of the problems that we've run into could have
[24:19.220 --> 24:23.540]  potentially been solvable. And I think we've both seen examples of clinical situations
[24:24.320 --> 24:29.600]  with respect to security where, you know, people have worked on a problem, they've even come up
[24:29.600 --> 24:33.480]  with a potential solution to a problem, they've even started to implement that solution. And then
[24:33.480 --> 24:39.100]  they go, whether it's for, you know, other opportunities, or just the disillusionment
[24:39.100 --> 24:43.800]  that we've already talked about, they leave. And the next person coming in sometimes doesn't have
[24:43.800 --> 24:47.120]  the ability to pick up where they left off, they have to kind of reinvent the wheel from the very
[24:47.120 --> 24:53.520]  beginning. And that chance to build the institutional memory is kind of lost.
[24:55.060 --> 24:59.440]  Absolutely. And that's a problem in a lot of different industries, but it's particularly
[24:59.440 --> 25:05.580]  important in healthcare, because there are so much, there's so much specialized, weird medical
[25:05.580 --> 25:10.860]  devices. It feels like if you work at a hospital, you know, I don't work for IT at a hospital or
[25:10.860 --> 25:15.700]  security at a hospital, you don't only have to know the technical infrastructure and routers
[25:15.700 --> 25:20.400]  and firewalls like you do at any other organization, you also have to know all this weird,
[25:20.400 --> 25:28.080]  this device on the fourth floor is a 10 year old infusion pump. And it acts very strange. And
[25:28.080 --> 25:31.700]  we have tried our best to mitigate its vulnerabilities in the following way.
[25:31.900 --> 25:36.540]  And it does this function. And when it doesn't do this function, this is the health implication,
[25:36.540 --> 25:41.240]  there's so much more context around the technological infrastructure in a hospital
[25:41.240 --> 25:46.340]  that is outside the regular domain of security. And so if you don't have institutional memory,
[25:46.340 --> 25:53.240]  you can't pass down that knowledge, that healthcare context specific knowledge,
[25:53.240 --> 25:57.880]  and that doesn't exist, and you just have rapid turnover, you're risking someone forgetting about
[25:57.880 --> 26:01.400]  the device or what you did about it. And as a consequence, you're just putting yourself
[26:01.400 --> 26:04.500]  out there more and becoming even more vulnerable.
[26:06.040 --> 26:11.140]  So I want to talk about communication a little bit, because I think that this is something that
[26:11.140 --> 26:17.060]  has been very challenging from a clinical standpoint, right? And so tell me if you have
[26:17.060 --> 26:23.520]  had the experience where you are caring for these patients, you are constantly receiving
[26:23.520 --> 26:28.120]  updated protocols with respect to how to safely use protective equipment or the certain situations
[26:28.120 --> 26:32.360]  in which, you know, an aerosol generating procedure might be taking place. So you need
[26:32.360 --> 26:36.320]  to have an N95 at that point. But if you're just going into, you know, assess the patient,
[26:36.320 --> 26:40.880]  you can get away with contact droplet precautions. There's so much that we are learning in real
[26:40.880 --> 26:48.200]  time about the sort of natural course of this disease, about best practices for how to treat
[26:48.200 --> 26:55.940]  it. That communication from a clinical standpoint is very important. And there's a transparency
[26:55.940 --> 27:00.920]  that I think, with the best examples of this, it's very beneficial to kind of tell people,
[27:00.920 --> 27:03.760]  this is the information that we're seeing, this is how we're making these decisions,
[27:03.760 --> 27:07.320]  this is why we're implementing things in a certain way. And when you have situations
[27:07.320 --> 27:13.160]  where that's not the case, you know, whether it's canceling elective surgeries, whether it's
[27:13.160 --> 27:17.180]  how we allocate beds, whether it's our testing protocols and things like that, it's very
[27:17.180 --> 27:22.800]  demoralizing and kind of dispiriting sometimes for the clinicians across the country to be put
[27:22.800 --> 27:25.800]  in situations where they don't really understand how the decisions are made or how they're
[27:25.800 --> 27:32.920]  communicated. There is an entire other filter over that with respect to certain, you know,
[27:32.920 --> 27:37.160]  trustworthiness of information from a partisan or ideological standpoint that we need to get
[27:37.160 --> 27:44.020]  into. But clearly, communication and how we talk to each other during these types of situations
[27:44.020 --> 27:49.000]  has been key on the clinical side. And I was just wondering what your thoughts were
[27:49.000 --> 27:53.900]  with respect to how we talk about healthcare security and those issues.
[27:54.860 --> 28:05.520]  Yeah, I remember when we first started seeing COVID patients at my hospitals. And I remember
[28:06.380 --> 28:12.300]  many doctors across the country were getting their information about how to treat them on Twitter.
[28:12.640 --> 28:19.880]  You know, should you give large amounts of IV fluid? Should you give patients ibuprofen if
[28:19.880 --> 28:24.680]  they have... remember that? There was this issue about whether or not NSAIDs like ibuprofen could
[28:24.680 --> 28:30.340]  make it worse. There was... I remember this adamantly. The first time I had to intubate
[28:30.880 --> 28:37.620]  a COVID patient, it was because there was this very early information saying,
[28:37.620 --> 28:43.260]  hey, you should intubate these patients early instead of try non-invasive airway maneuvers like
[28:43.260 --> 28:49.700]  high flow oxygen or BiPAP. There was this fear around BiPAP that if you put this on, it's a mask,
[28:49.700 --> 28:53.960]  it goes over their mask and provides positive pressure and helps patients breathe.
[28:53.960 --> 28:58.180]  The fear was that that would aerosolize the virus and that everyone in the room,
[28:58.180 --> 29:02.940]  even if you were covered head to toe in PPE, would get the virus if you put a patient on BiPAP. So
[29:02.940 --> 29:08.360]  there's all these different communication streams, getting information on how to treat patients on
[29:08.360 --> 29:13.760]  Twitter, the academic literature, which is the foundation of how we treat patients, right? So
[29:13.760 --> 29:20.720]  in medicine, we do studies, we design things, and we collect data, we publish on the scientific
[29:20.720 --> 29:27.480]  method. In COVID, a lot of that we didn't have time for, like we didn't have random placebo
[29:27.480 --> 29:34.020]  controlled trials on ibuprofen yet. We didn't have this type of information. So these communication
[29:34.020 --> 29:40.360]  streams, they just weren't authoritarian. They weren't coming in a coherent way. There was
[29:40.360 --> 29:46.920]  conflicting information. There was a lot of concern about where the data was coming from,
[29:46.920 --> 29:53.300]  you know, and as a consequence, I think it really just paralyzed a lot of frontline
[29:53.880 --> 29:59.160]  clinicians. We were, what do we do? I heard we should do this yesterday. Now I'm hearing we
[29:59.160 --> 30:07.760]  shouldn't do it today. That was really unfortunate. Its parallels in healthcare cybersecurity are many.
[30:07.760 --> 30:12.240]  We've already touched on a few, you know, information sharing being one of them, but I just
[30:12.240 --> 30:19.040]  want to bring up a very important part of this, which is, if there is any silver lining out of
[30:19.040 --> 30:25.600]  what, you know, of the response to coronavirus, it's that the academic journals that a study could
[30:25.600 --> 30:32.500]  take years to collect data and publish, big journals like the New England Journal, Lancet,
[30:33.100 --> 30:39.500]  a few, JAMA, etc. They said, we need to rapidly review this literature and start getting it out
[30:39.500 --> 30:44.520]  there. So they reduced their standards for what would get published a little bit for the sake of,
[30:44.520 --> 30:49.840]  we need to rapidly publish. At the heart of that is this need for information sharing
[30:49.840 --> 30:56.740]  and communication. It wasn't the best, but at least they tried. We don't have that in healthcare
[30:56.740 --> 31:05.020]  cybersecurity. We don't have hospitals knowingly giving us information, data, anonymized data
[31:05.020 --> 31:12.740]  on attacks. We don't share data and study it critically and publish that very often. Instead,
[31:12.740 --> 31:16.920]  hospitals are saying, we got breached. We don't need to study this. We don't need to share the
[31:16.920 --> 31:21.180]  raw data. Instead, we need to forget that this happened, pay our HIPAA fine, and hope we don't
[31:21.180 --> 31:27.100]  ever get into scrutiny again. We really need to change our philosophy in healthcare security
[31:27.100 --> 31:36.060]  to collect data, pool data, design studies where we can make some meaningful conclusions at the
[31:36.060 --> 31:41.160]  end of the day. That's science. We need to share that with everyone. We need to go through peer
[31:41.160 --> 31:46.360]  review so that other people can review the data and make sure that what we're saying is consistent
[31:46.360 --> 31:50.700]  with what they've experienced. So at the end of the day, we can answer some fundamental questions
[31:51.220 --> 31:56.840]  that people on this video call have heard time and time again. For example, the question,
[31:56.840 --> 32:01.680]  should you pay the ransom if your hospital is ransomed? You'll hear 15 different opinions
[32:01.680 --> 32:06.360]  about whether or not you should pay the ransom if your hospital is under ransomware attack.
[32:06.660 --> 32:13.020]  But what we don't have is a reliable data set from all the prior hospitals who've been ransomed,
[32:13.020 --> 32:17.600]  looking at things like outcome, how much they paid so that we can take that data,
[32:17.600 --> 32:24.180]  make meaningful conclusions, and through the scientific method, provide recommendations at
[32:24.180 --> 32:29.100]  the end of the day that are evidence-based. In medicine, we call that evidence-based medicine.
[32:29.100 --> 32:33.320]  We want to pick the right treatments and do the right thing because there's evidence.
[32:33.320 --> 32:38.440]  In healthcare cybersecurity, we don't have the evidence base because we don't share it.
[32:38.440 --> 32:45.480]  We really need to change that. COVID, we were able to, not perfectly, but we saw some glimmering
[32:45.480 --> 32:50.180]  hopefully in some respects, particularly with the journals, of that getting better.
[32:50.980 --> 32:57.800]  Yeah, I totally agree. I want to just go back and clarify too that when talking about the mixed
[32:57.800 --> 33:03.100]  messages that we had early on, that in and of itself is not a problem. It's okay if we don't
[33:03.100 --> 33:07.980]  know initially in a situation like this, whether the best clinical intervention is invasive
[33:07.980 --> 33:12.900]  mechanical ventilation or non-invasive positive pressure ventilation. It's okay in the initial
[33:12.900 --> 33:18.140]  period of this when we're still collecting those data points to be able to say, we don't know,
[33:18.140 --> 33:22.420]  there are a couple of different possibilities here and we're going to try one or the other.
[33:22.480 --> 33:25.700]  I mean, that's the scientific method. That's the process by which we generate a hypothesis
[33:25.700 --> 33:31.740]  and then test it. So having different options or different messages initially is not an issue.
[33:31.740 --> 33:37.280]  It's then needing to, as you said, gather that data. And I think we, even before all of this,
[33:37.280 --> 33:42.760]  we have been of the perspective that if it does turn out that we are able to look back in five
[33:42.760 --> 33:48.200]  to ten years, that healthcare security was not necessarily the issue of magnitude we thought it
[33:48.200 --> 33:53.020]  was. I think you and I, as scientists, are both going to be fine with that and able to say, you
[33:53.020 --> 34:00.420]  know, we're much more at peace with the concept of advocating for these issues and for it not
[34:00.420 --> 34:04.640]  turning out to be a big patient safety issue than if we were to sort of ignore them and allow it
[34:04.640 --> 34:11.500]  to be that. As kind of a tangent to that, I just wanted to ask you briefly, because from a standpoint
[34:11.500 --> 34:16.240]  of communication in this space, in the healthcare security space, we often get opposing viewpoints,
[34:16.240 --> 34:22.800]  which is totally fine. But something I've been thinking about is we have come into
[34:24.260 --> 34:28.400]  conversations with people who have said, you know, healthcare is something that we don't think
[34:28.400 --> 34:34.800]  attackers are particularly motivated to sort of target or focus on, because, you know,
[34:34.800 --> 34:38.200]  it's a hospital and why would you go after a hospital or why would you go after a medical
[34:38.200 --> 34:42.240]  device? We just don't think that's going to be a powerful motivating factor for people.
[34:42.600 --> 34:47.500]  We've obviously seen some examples over the last couple of months where there have been attacks
[34:48.060 --> 34:54.360]  at institutions that were actively treating COVID patients or actively engaged in COVID research.
[34:54.560 --> 34:59.280]  And it seems that in some of those cases, the particular, you know, there was a very precise
[34:59.280 --> 35:06.220]  targeting based on that fact and that situation. What do you think about the argument now that
[35:06.220 --> 35:10.260]  healthcare is sort of this different sacrosanct space that won't necessarily be
[35:10.260 --> 35:15.840]  the focus of other types of attacks because of its kind of unique nature in that sense?
[35:16.560 --> 35:20.480]  Yeah, I think that's demonstrably false. You brought up a couple of good examples of
[35:21.680 --> 35:29.380]  adversaries who willfully have targeted healthcare infrastructure, primarily COVID research,
[35:29.380 --> 35:37.420]  for their own gain. And I think those out there that are still saying, you know,
[35:37.420 --> 35:41.060]  hackers aren't going to target healthcare because no one would ever be that evil,
[35:41.060 --> 35:46.840]  really just need to wake up to the fact that two things are true. One, adversaries are doing that.
[35:46.960 --> 35:52.600]  Attacks are increasing, they're not decreasing. And then two, many adversaries might not even
[35:52.600 --> 36:01.000]  know that they're attacking healthcare, right? So there's no set of IP addresses that are only
[36:01.000 --> 36:06.640]  allocated to hospitals, right? So if you're out there scanning, trying to propagate malware,
[36:06.640 --> 36:10.380]  you could hit a hospital and not even know it, right? And by the time you figure that out,
[36:10.380 --> 36:17.720]  the damage might already be done. So I think we really need to go away from this paradigm of,
[36:18.270 --> 36:26.000]  based on what we think attackers' motivations are, clearly to understanding their motivations,
[36:26.000 --> 36:31.940]  but also assuming that we might not fully understand their motivations, or their motivations
[36:31.940 --> 36:38.560]  may be ill-aimed, or that they might not even be intending to harm us. That's the way we stay safe.
[36:38.560 --> 36:42.620]  You know, it's not bury our head in the sand, no one's evil enough to attack healthcare.
[36:42.620 --> 36:47.800]  It's instead, assume it's being attacked every day because it is, and treat it like any other
[36:47.800 --> 36:52.880]  valuable resource that a hacker, you know, a malicious adversary might be going after,
[36:52.880 --> 36:58.900]  like a bank, for example. And these types of... and then also the research infrastructure is
[36:58.900 --> 37:02.720]  really important. You know, people don't necessarily equate the scientific method
[37:02.720 --> 37:08.880]  and institutions of higher learning as part of the healthcare infrastructure, but they truly are.
[37:08.880 --> 37:15.340]  Many universities in this world are connected directly to hospitals, like their networks are
[37:15.340 --> 37:21.260]  actually connected, right? So, in addition, the work that is done on the university side,
[37:21.260 --> 37:26.540]  or the biotech side, directly influences clinical practice. And if you take out, for instance,
[37:26.720 --> 37:35.700]  a COVID vaccine data cohort, right? So, we are testing the vaccine for the COVID rollout. If you
[37:35.700 --> 37:41.420]  attack the infrastructure that collects the data about those results, you could put the vaccine
[37:41.420 --> 37:49.820]  back weeks to months. And as a consequence, patients will die. That is a scary proposition.
[37:49.820 --> 37:55.600]  And we got to understand that it's not very clear where the boundaries of healthcare stop.
[37:55.600 --> 38:02.400]  And so, we really need a wider appreciation of what exactly is healthcare infrastructure
[38:02.940 --> 38:08.400]  and what domains are affecting the care of patients that are much broader than most people realize.
[38:10.740 --> 38:12.880]  Buddy, I want to talk really quickly about
[38:15.380 --> 38:19.480]  some of the definitive solutions that we're searching for with respect to COVID. And I
[38:19.480 --> 38:26.660]  think you mentioned that, you know, there are vaccines that are in the works. And I think,
[38:26.660 --> 38:30.420]  hopefully, people will be able to look back after all this is over with it and say, man,
[38:30.420 --> 38:35.240]  we really went through that process faster than any other time in human history. So,
[38:35.240 --> 38:39.640]  to talk about a vaccine, you know, I think they're already in stage three trials. It's in the
[38:39.640 --> 38:44.740]  candidate six months after this virus was first discovered. It's pretty incredible just from a
[38:44.740 --> 38:49.080]  science standpoint. But right now, you and I clinically, when we're taking care of these
[38:49.080 --> 38:55.060]  patients, we don't have direct therapeutics that are really targeted at how this particular virus
[38:55.060 --> 38:59.660]  works and the way that it infects and spreads. We have adjuncts. We have things that we think
[38:59.660 --> 39:05.500]  are helpful. And a lot of the care just kind of comes down to supportive practices with respect
[39:05.500 --> 39:10.040]  to managing organ system effects and things like that, so that, hopefully, patients recover on
[39:10.040 --> 39:16.840]  their own. So, we're still looking for therapeutics that work directly in inhibiting the virus
[39:16.840 --> 39:21.200]  mechanism of action and replication. We're still looking for vaccines, obviously, to be rolled out.
[39:22.740 --> 39:28.700]  I feel like there is a association there with how we think about some of the tools we have in
[39:28.700 --> 39:33.900]  security writ large and how those are implemented in healthcare and how we really haven't yet
[39:33.900 --> 39:39.780]  come to a place where we have healthcare-specific security tools or practices. This is obviously much
[39:39.780 --> 39:45.840]  more relevant to medical devices and things like that, but where do you think we are
[39:45.840 --> 39:51.120]  with respect to getting products and tools and practices that are tailored specifically for
[39:51.120 --> 39:58.460]  healthcare? Yeah, I think we're on our way. We take this slide image because when we first started
[39:58.460 --> 40:03.920]  into this and talking about this, shoot, Jeff, what it was like 10 years ago, 15 years ago?
[40:04.400 --> 40:09.840]  I just looked back on my timeline and we started med school 10 years ago. Congratulations, you old
[40:09.840 --> 40:16.440]  dude. When we first started getting into this, the only solutions that people would say to
[40:16.440 --> 40:21.700]  protect a hospital were basically just rebranded security tools from other industries, right? So,
[40:21.700 --> 40:27.360]  they basically just took, let's take the tenets and principles around PCI compliance and let's
[40:27.360 --> 40:34.420]  make your hospital PCI compliant for healthcare medical devices. And what we really saw was that
[40:34.420 --> 40:41.900]  just doesn't work. To draw an analogy from the medicine realm, we're not treating COVID by giving
[40:41.900 --> 40:50.340]  flu shots, right? There are no antibiotics that work for COVID, right? So, just because they work
[40:50.340 --> 40:54.900]  in other diseases doesn't mean they're going to work in this particular instance. And what
[40:54.900 --> 41:01.340]  we've been saying for a long time is that if you just borrow the tools from other industries
[41:01.340 --> 41:06.760]  without understanding how healthcare works and you deploy them in such a way, they're probably not
[41:06.760 --> 41:12.660]  going to be very effective, right? We have a big problem with legacy devices in healthcare, for
[41:12.660 --> 41:20.320]  example, that wouldn't be tolerated, legacy medical devices that run out-of-date operating systems
[41:20.320 --> 41:24.460]  that are essentially unpatchable, that have really nasty vulnerabilities and that will be around on
[41:24.460 --> 41:29.760]  your network for 10 years, for example. That wouldn't be tolerated in banking infrastructure
[41:29.760 --> 41:34.800]  at a large bank, in a large, well-resourced bank, right? They wouldn't let a machine on their
[41:34.800 --> 41:42.700]  network that had those vulnerabilities. But yet, we expect that if we take the same exact approach
[41:42.700 --> 41:46.920]  to banking security and apply it towards healthcare cybersecurity, that we're going to get the same
[41:46.920 --> 41:51.400]  results. And what you quickly realize is that that's just not possible. You have to really
[41:51.400 --> 41:56.400]  change your way and understand the context around clinical care, for example.
[41:56.400 --> 42:02.420]  You also have to understand how your cybersecurity tools impact clinical care,
[42:02.420 --> 42:09.300]  right? So, just as much as there's been examples of vulnerable imaging devices like CT scanners
[42:09.300 --> 42:15.580]  and MRI machines that can be infected with malware and cause availability issues, there's also been
[42:15.580 --> 42:21.860]  discussions about examples of patching these devices, so well-intentioned patching
[42:21.860 --> 42:28.720]  that results in essentially bricked devices. And if you don't have a CT scanner at a stroke
[42:28.720 --> 42:34.160]  center, for example, or if you had two and you take one out because it's been bricked by a failed
[42:34.160 --> 42:39.980]  patch, the next stroke patient or the next trauma patient that comes in to the hospital could have
[42:39.980 --> 42:45.720]  to wait longer for their scan. And that could mean the difference about whether they get a
[42:45.720 --> 42:50.100]  medicine in a critical time window. It could be the difference about whether they talk or they
[42:50.100 --> 42:54.700]  walk. It could be the difference between whether or not they go to surgery and get a bullet taken
[42:54.700 --> 43:00.700]  out of a particular location sooner. So, these have real implications. If you just think you
[43:00.700 --> 43:06.140]  can apply your same philosophy, your same tools, in exactly the same way in healthcare, you're
[43:06.140 --> 43:12.440]  going to be sorely mistaken. And you have to do so in a mindful way to avoid patient care
[43:12.440 --> 43:19.060]  implications and patient harm. I could not agree more, my friend. Listen, we could probably talk
[43:19.060 --> 43:22.960]  about this for another three hours. I think we have just barely scratched the surface here,
[43:22.960 --> 43:26.780]  but I think we're almost at the 45-minute mark. And what I want to do is leave some time for
[43:26.780 --> 43:31.020]  questions on the live session to make sure that we don't overstay our welcome.
[43:32.360 --> 43:36.820]  This has been really fun. I am so happy we got to do this. I want to thank, again,
[43:36.820 --> 43:39.940]  everybody at the Biohacking Village for giving us the opportunity. It's an honor.
[43:40.100 --> 43:46.280]  We wish we could see you guys and give you big aseptic hugs, but unfortunately, that's not the
[43:46.280 --> 43:52.000]  world that we're living in. We just hope everybody is staying safe and healthy. And hopefully this
[43:52.000 --> 43:57.500]  time next year, we'll all get together and have a have a beer and be able to have this behind us.
[43:57.500 --> 44:04.300]  Kwadi, I miss you, man. We should hang out sometime, virtually, of course. And
[44:04.300 --> 44:08.460]  looking forward to the Q&A. And thanks, everybody. Appreciate it.
